Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and...
Transcript of Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and...
![Page 1: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/1.jpg)
Hard Problems:Information Assurance
Richard HaleChief Information Assurance ExecutiveDefense Information Systems Agency
September 5, 2008
![Page 2: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/2.jpg)
2
Our IA Goals
(Our Highest Level Hard Problems)
![Page 3: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/3.jpg)
3
1. Ensuring that DoD and its mission partners can depend on information and on the information infrastructure in the face of physical and cyber warfare
Or, Dependability in the Face of Cyber Warfare
(Aka Mission Assurance)
![Page 4: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/4.jpg)
4
2. Ensuring that DoD and its mission partners can keep a secret (when we/they want to)
![Page 5: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/5.jpg)
5
Hard Problem:Keeping a Secret While Sharing
Broadly
Not so SecretSecret Public
1 10 100 . . . 109
Number of People With Access
![Page 6: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/6.jpg)
6
My Oversimplification of How DoD Is Pursuing These IA
(and sharing) Goals
![Page 7: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/7.jpg)
7
Part 1
Limit exposure of vulnerabilities by
– Removing as many of these vulnerabilities as possible (e.g. encrypt when appropriate, configurethings securely, remove unnecessary functions, eliminate passwords)
– Layering protections that incrementally limit the population with access to a given vulnerability (defense-in-depth)
– Designing what DoD looks like to partners, to the public, to adversaries
![Page 8: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/8.jpg)
8
Part 2
Drive-out anonymity (and enable net-centricity and improve sharing) by broad use of non-spoofable cyber identity credentials (aka PKI)– Minimize whole classes of worries; brings
accountability, worries some classes of bad guys
Build and operate an attack detection and diagnosis capability that allows rapid, sure, militarily useful reaction to cyber attacks
Improve joint, coalition, interagency, & industry partner cyber operations/ NETOPS so the above is possible
![Page 9: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/9.jpg)
9
Integrity
Availability
Confidentiality InherentVulnerabilities
Vulnerabilities
Attacks Are• Highly Scalable• Fast to Develop
Attacks Are• Non-Scalable• Long to Develop
VulnerabilitiesThat Are
OperationallyInduced by an
Adversary
![Page 10: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/10.jpg)
10
After the Basics:
Attacks Are• Non-Scalable• Long to Develop
![Page 11: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/11.jpg)
11
Hard Problem: Then What?
Possibility? Introduce uncertainty for the attackers in the operationally induced vulnerability area– If the attack takes time to develop then
changes can disrupt the effectiveness of the attack
– (Churn as a defense strategy)
Hard Problem: How?
![Page 12: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/12.jpg)
12
Related Hard Problem: Spotting and Diagnosing & Reacting to an
Engineered-In Attack
![Page 13: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/13.jpg)
13
Back To The Basics
• Configuring everything properly means we encourage homogeneity owing to opportunities to automate, economies, simpler training, etc.
• Hard problem: How far can (should) we take homogeneity?
![Page 14: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/14.jpg)
14
Hard Problems: Software & Systems
• Understanding that complex software or software and hardware is benign
• Or (harder?), understanding how it isn’t but finding ways to use it anyway
• Doing either of the above without good access to design documents, source code, developers, process audits, etc
• Globalized supply chain is a challenge (giant understatement)
![Page 15: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/15.jpg)
15
Hard Problem: Information Sharing in the Federal Government in the Face of
System High
(Or, What System-High Wrought)
![Page 16: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/16.jpg)
16
NIPRNET
SIPRNET
JWICS
Internet
![Page 17: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/17.jpg)
17
Sharing With Allies
![Page 18: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/18.jpg)
18
NIPRNET
SIPRNET
JWICS
Internet
CENTRIXS1NATO
CFBLnet
CENTRIXS2
Centrixs3Bi-lat
abcabc
aa
a
![Page 19: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/19.jpg)
19
Sharing in the Interagency
![Page 20: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/20.jpg)
20
NIPRNET
SIPRNET
JWICS
Internet
CENTRIXS 1NATO
CFBLnet
CENTRIXS 2
centrixs3Bi-lat
abcabc
aa
a
New Federal Interconnect net?
Federal, State, & LocalClassified Net ?
Federal Classified Net
![Page 21: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/21.jpg)
21
A Typical Netcentric Mission Thread
![Page 22: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/22.jpg)
22
NIPRNET
SIPRNET
JWICS
Internet
CENTRIXS1NATO
CFBLnet
CENTRIXS2
centrixs3Bi-lat
abcabc
aa
a
![Page 23: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/23.jpg)
23
NIPRNET
SIPRNET
JWICS
Internet
CENTRIXS1NATO
CFBLnet
CENTRIXS2
centrixs3Bi-lat
abcabc
aa
a
(Hard Problem)
![Page 24: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/24.jpg)
24
How Exactly Does That Sharing Work Now?
![Page 25: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/25.jpg)
25
NIPRNET
SIPRNET
JWICS
Internet
CENTRIXS1
CFBLnet
CENTRIXS2
Centrixs3Bi-lat
abcabc
aa
a
Cross Domain Stuff
NATO
![Page 26: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/26.jpg)
26
NIPRNET
SIPRNET
JWICS
Internet
CENTRIXS1
CFBLnet
CENTRIXS2
Centrixs3Bi-lat
abcabc
aa
a
(So, This is a Closely Related Hard Problem)
NATO
![Page 27: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/27.jpg)
27
All this System-High stuff is pretty much focused on maybe half of Goal 2, that is, Confidentiality (and maybe
some of the sharing part)
![Page 28: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/28.jpg)
28
What’s System-High Got to Do With
Assured Mission Execution in the
Face of Cyber Attack? . . .
![Page 29: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/29.jpg)
29
Integrity
Secrecy
Availa
bility
BakeSale
NuclearC2
![Page 30: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/30.jpg)
30
How About All Those Missions In the Middle?
? Availa
bility
? ?Integrity
??
?U
S
TS
![Page 31: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/31.jpg)
31
• System-High came from the days before everything was connected to everything else.
• It gives no priority to MISSION, only classification
• Hard Problems– Is there an overall architectural model for
availability? What is it?– Ditto for integrity protection
![Page 32: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/32.jpg)
32
A Little Bit About Driving Out Anonymity (& Improving Sharing?):
![Page 33: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/33.jpg)
33
Challenge: DoD PKI Credential Quality(How Much Can I Trust This Credential I’ve Been
Presented?)
Cre
dent
ial Q
ualit
y
Time
Use of DEERSIdentity system
Use of hardware token(CAC) for the private key
Use of HardwareCrypto in CAs
![Page 34: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/34.jpg)
34
Hard Problem: Ad Hoc Coalitions
We often don’t know in advance with whom DoD will be working
Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in
spite of the lack of information about the other parties
![Page 35: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/35.jpg)
35
Portion of This Hard Problem: How Do I Decide Whether to Accept Someone
Else’s Identity Credential?
And harder yet…what do I do when someone has none?
![Page 36: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/36.jpg)
36
Making an Access Control Decision
![Page 37: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/37.jpg)
37
Step 1. Determine that it’s really me
Step 2. Then, learn things about the real mebefore deciding to take a risk on me
Before:Allowing me to access information,Allowing me to act in a certain role,
Doing business with me, etc.
![Page 38: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/38.jpg)
38
Step 1: I present my credential (or hopefully I use my PKI private key to
authenticate).
Then, all that stuff about me comes into play
![Page 39: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/39.jpg)
39
Who Knows, Who Tells the Things About Me?
I DoBut if you don’t know me, will
you trust what I say?
Others DoYou might trust some of what others say about me (attributes about me)
![Page 40: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/40.jpg)
40
Using Attributes About a Person, an Organization, A Service to Make A Sharing Decision
DataDataServiceConsumerService
Consumer
Policy Decision Service
Policy Enforcement
Point
ServiceProvider
Request(with PKI authentication)
Attribute Store Attribute Store
AttributesManor Machine
(Attribute-Based Access Control)
![Page 41: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/41.jpg)
41
End User Hard Problem: Are Those Attributes Worthy of My Trust?
(Can I Make a Good Business Decision With Them?)
![Page 42: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/42.jpg)
42
Hard Problem: Current cyber technologies don’t give end-users
many useful, reliable cues so social engineering and technical attacks
against end-users are easy
![Page 43: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/43.jpg)
43
Background: Those PKI Credentials
Bill Smith A Public Key
Trustworthy Third Party’s Signature That Binds the
Name and Key Cryptographically
A PKI Certificate
Increased assurance that Bill’s public key is really his, and not
John’s or Sam’s
![Page 44: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/44.jpg)
44
Attributes and the Directory Problem• Tight tie between me and my public key provided by
my PKI cert (and by careful design of the issuance process)
• Hard Problem: Where’s the tight tie between me (my name or some other unique identifier) and an attribute about me?
• Hard Problem: Who is authoritative for particular information about me?
How does a relying party know that my credit score, my clearance, my role, my
grades, are really mine?
How does a relying party know that my credit score, my clearance, my role, my
grades, are really mine?
![Page 45: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/45.jpg)
45
It Gets Harder the Farther From DoD I Go
• Getting authoritative information is harder• Getting tamper resistant/tamper evident information
is harder• Understanding the reliability of third parties who will
vouch for attribute information is harder• Etc…
![Page 46: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/46.jpg)
46
Hard Problem: How Do I Use Combinations of High Quality and
Lower Quality Data to Make an Access Control Decision?
Fuzzy Attribute-Based (or Other) Access Control?
![Page 47: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/47.jpg)
47
What About Fuzzy Attributes?
• We “add-up” answers to questions in real life. We make decisions based on a pattern of answers & patterns of experience
So, can we structure our systems so that a pattern of answers, possibly from many sources, adds up to something stronger than any of the answers themselves?
![Page 48: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/48.jpg)
48
More General Hard Problem: How do we quickly establish sufficient trust
between/among partners (in spite of the anonymity and the uncertain
integrity of cyber space) to get work done?
![Page 49: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/49.jpg)
49
Sharing & Application Agility:
DoD Is Moving To The Service Oriented Architecture For Many Functions
Loosely coupled so innovation at the pace of each service provider. Business
processes developed fast, especially if only need to compose existing services
![Page 50: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/50.jpg)
50
The Simple View of the SOA
Service Interface
Service ProviderService Provider
ServiceConsumerService
Consumer
The WAN
![Page 51: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/51.jpg)
51
Composition of Services into an Application
![Page 52: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/52.jpg)
52
Many Service Providers
![Page 53: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/53.jpg)
53
Hard Problem: Developing, composing and operating for dependability in the face of cyber attack (and in the face of the many possibly
independent service providers)
Related Hard Problem: Ditto for dependability, accuracy, performance, etc., in the face of normal operations (how to we understand and manage these properties?)
![Page 54: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/54.jpg)
54
Related Hard Problems:1. If there is only one human in this SOA picture, how does each service determine the human is really the entity on whose behalf service is being requested, and how does it make an (attribute based?) access control/service provisioning decision.
2.Can we assure each service provider that that service provider’s policy is being followed?
![Page 55: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/55.jpg)
55
What’s Behind the Service Interface?
Firewall
Ap Switch
Ap Server
Router
Ap Server Ap Server
Ap Switch
Ap Switch
Database Server
Database Server
Database Server
VPN crypto
Hosting Center
Router Router
Router
The WAN
![Page 56: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/56.jpg)
56
Problem: How Does Identity, Credentialing, Composition, etc. Work and What Can I Trust When All of This
Stuff is Virtualized?
(Maybe This Isn’t A Problem)
![Page 57: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/57.jpg)
57
Hard Problem: Fragility Avoidance as We Deploy All of This Security Stuff
(Remember Our Customers)
(CAC PIN reset and my trip from south-western PA to Camp Dawson WV)
![Page 58: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/58.jpg)
58
Hard Problem: The Network Is Converging
Who do you call when the everything-over-IP network is down? How did you do that again?
![Page 59: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/59.jpg)
59
Incident & AttackDetection, Diagnosis, and Reaction
![Page 60: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/60.jpg)
60
Context for NETOPS
• DoD is really big, really complicated, and really mobile
– 7 million things with IP addresses for instance– Everything has huge quantities of software and incredibly
complicated hardware in it
• We’re executing missions with thousands of partners who also have complicated organizations and infrastructures
![Page 61: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/61.jpg)
61
Hard Problem: How Do We Ensure the Information Infrastructure Is Properly Supporting All (or the most important)
Missions?
Related Hard Problem: How do we spot, diagnose, and do something about problems, especially cyber attacks in this infrastructure?
![Page 62: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/62.jpg)
62
Hard Problem: (The Computer Network Defense Process)
• Detect the incident or attack or problem (hopefully before it’s launched)
• Diagnose what’s going on• Develop militarily useful courses of action• Pick one• Execute it• Then follow up• Across all pieces/parts and all organizations
that make up a mission thread
All in militarily useful time
![Page 63: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/63.jpg)
63
To Summarize…
![Page 64: Hard Problems: Information Assurance · Yet, we need to begin quickly sharing (…safely) and collaborating (safely) in ... But if you don’t know me, will you trust what I say?](https://reader036.fdocuments.in/reader036/viewer/2022070721/5ee33e78ad6a402d666d3d95/html5/thumbnails/64.jpg)
64
1. Dependability in the Face of Cyber Attack
2. Keeping a Secret
Both While Simultaneously Sharing Information Broadly